SSO (single sign-on) support

[kgodey]

Mathesar should have support for SSO (single sign-on) for user management.

---

If you'd like us to build this feature, please comment below with more details about how you plan to use this functionality.

[htbrown]

I've been looking at applications like NocoDB and Baserow and both either currently require or are planning to require an enterprise subscription to use SSO; they deem it only necessary for large enterprises.

I'm a single user looking to spin up something similar to Airtable which integrates with my Keycloak/Active Directory combination so I can have a single account for all my services for the sake of simplicity. If this were to be included in Mathesar, do you know whether you'd consider using OIDC for this feature?

[kgodey]

@htbrown Thanks for your comment! We haven't done much planning for this feature yet, but I do think we will probably implement using OIDC. All of Mathesar's features will be open source; we don't have plans for proprietary features.

[dalemccrory]

I would really appreciate this as well. We are a non-profit and putting postgres at the center of our data warehousing strategy (as we don't deal with tons of data). To get the best adoption of our new data strategy and keep costs inline, having SSO would be huge help. We would be looking to hook it into our Azure AD LDAP.

I also don't like that anytime we have to do anything with SSO it turns the whole contracting process on it's head for most products.

[kgodey]

Thanks @dalemccrory! For our implementation, it's helpful to know that you'd be looking to hook it up into Azure AD LDAP.

[kubeworkz]

SSO for sure. IMO passwordless should have been universal by now. Being the domain of big corporations has severely limited its' growth. I know it's an easy revenue generator but we need to get past that. You should strongly consider adding SSO to all products. Even small guys can benefit from it. There's way more small guys than big guys.

[kgodey]

SSO is high on our priority list! We're still thinking through how best to implement it. Could you share any details about how you plan to use it or what technologies or specifications you'd like us to support?

[kubeworkz]

Cool! I think starting with the basics like Github / Google stuff would be great. SSO is a real science these days. Probably Oauth2 first. We have a Saas product that we would like to add db management to. Right now we're using Supabase and we're running into some limitations. We'd like more control over our backend. btw: This is a wicked awesome project - well done.

[kgodey]

Thank you very much! I'm curious about what kinds of limitations you're running into with your current backend, if you don't mind sharing.

[kubeworkz]

At Supa there are project and resource limits. OK for developing but price prohibitive for production. Especially when starting up a new venture. Also, it's finicky on location. You need to be close to the database and connection pooling sometimes acts up.

[kgodey]

Thank you!

[kgodey]

Here's a user explaining how to use django-auth-ldap with Mathesar as a workaround: #3048 (comment).

[tetricky]

I understand that sso is often used as a monetisable 'enterprise' differentiator, but I don't see it that way. for me it's a way to safely and manageably expose access to services to my community.

If I am hosting something as an internet facing service, I want to be able to easily allow community contribution and access to the services controlled by a central source of authority. I run a sports community of long standing (think dating back to the nineties), this centres around a forum (I'm currently using misago) and provides various accessible services to community members to encourage engagement and community development (games, collaborative editors, messaging, web publishing). This is done using my labour, and my funding. This is not for profit.

I want to extend database collaboration to our tools - I have used nocodb, but that uses sso to allow access to the portal, and then fine grained permissions based on the nocoddb/database specific project access basis.

Mathesar is a potentially better fit for me - I try to standardise services on a postgresql backend dependency, to reduce the number of databases that need to be maintained and backed up. Small scale community maintenance is not aided by multiple different systems. Nor is widespread and different authentication systems, which are hard to maintain and hard to learn for users, which reduces availability and engagement.

I use self-hosted authelia with an lldap backend for my sso, and have contributed the authelia/misago integration to the documentation. I also maintain a third party community misago container build.

I aim to integrate and expose services with the minimum resource consumption, and maximum shared dependencies. Mathesar with openid connect served by authelia running on a postgresql database backend would fit well with my requirements, and I suspect find quite wide application in the self-hosting community.

So I'm here to add background on my use case, and vote for the motion.

[kgodey]

@tetricky Thank you very much for the detailed description of your use case and requirements. This is very helpful for us.